1. Field of the Invention
The invention relates to a dual-interface payment device with a display. More particularly, it relates to a use of this type of payment device in contactless mode with a high level of security.
2. Description of the Related Art
‘Dual-interface payment device’ particularly refers to smart cards with two interfaces that further have a display and keypad. Even though a smart card has been used as an example in its description, the payment device according to the invention is not limited to a credit card format and could for example be a similar portable device such as a USB stick with a contactless interface; in such a case, the ISO 7816 interface described in this application would be replaced by a USB interface.
Commonly used dual-interface cards are cards with a contactless communication interface and a contact type communication interface. Smart cards are commonly used with secure readers in order to use a transaction authorisation code. The operation remains fully secure providing the reader is a certified reader.
Smart cards with displays have been known for a very long time. However, in order to retain the security of the secure microchip of the smart card, the separation of the secure transaction and display functions is known. To that end, the application EP2577568 reveals a smart card with an integrated card reader that makes it possible to retain the full integrity of the secure microchip that carries out transactions, while allowing interaction with it to display information from that secure microchip. The reader integrated in the card happens to be a reader that has been made ‘secure’ for the card bearer; only the card bearer has access to it and the reader does not access an external network.
In terms of electronic transactions, the performance of transactions that are not fully secure for practical reasons is known. Some transactions for small amounts do not involve a verification of the card authorisation code. In such cases, fraud is limited by the small amount of the transaction.
The development of smart telephones with advanced browsers and contactless communication interfaces compatible with smart cards (ISO14443) makes it possible to secure Internet transactions by means of smart card payment using an authorisation code. However, the mobile telephones are not secured. Indeed, mobile telephones are open communication systems that can receive new applications and particularly malicious applications that can intercept what is displayed on the screen or enter into the keypad or the touch screen. This type of malicious application can thus steal the authorisation code, which can then be used subsequently after the card is stolen.
In order to remedy the aforementioned drawback, the international application filed on 11 Jul. 2014 under no. PCT/EP2014/064909 discloses a contactless transaction method with a display card in which a first contactless exchange sends a request for a transaction with the desired amount to the secure microchip from a telephone (or another non-certified reader). Once that first transaction is complete, the reader integrated in the display card reads the amount of the pending transaction and the card bearer can then validate the transaction by entering the authorisation code. A second contactless transaction may then be carried out by sending back a message that validates the transaction to the telephone, which can then send it to a server of the bank for final recording.
The method thus described is reliable but has the major drawback that the transaction is carried out in three distinct steps. Indeed, two operations are carried out in contactless mode and another one in contact mode with the reader integrated in the card. Due to the exclusion of the concurrent operation of the two types of interface, it is preferable for the operations to be really separate. This type of operation is not fluid for any user, who must manage the starting and stopping of the reader integrated in the card. As a result, it is difficult to deploy such a solution on a large scale.